Manually scanning an image for OS vulnerabilities in Amazon ECR - Amazon ECR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manually scanning an image for OS vulnerabilities in Amazon ECR

If your repositories aren't configured to scan on push, you can manually start image scans. An image can be scanned once per 24 hours. The 24 hours includes the initial scan on push, if configured, and any manual scans.

For troubleshooting details for some common issues when scanning images, see Troubleshooting image scanning in Amazon ECR.

Amazon Web Services Management Console

Use the following steps to start a manual image scan using the Amazon Web Services Management Console.

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/private-registry/repositories

  2. From the navigation bar, choose the Region to create your repository in.

  3. In the navigation pane, choose Repositories.

  4. On the Repositories page, choose the repository that contains the image to scan.

  5. On the Images page, select the image to scan and then choose Scan.

Amazon CLI

  • start-image-scan (Amazon CLI)

    The following example uses an image tag.

    aws ecr start-image-scan --repository-name name --image-id imageTag=tag_name --region us-east-2

    The following example uses an image digest.

    aws ecr start-image-scan --repository-name name --image-id imageDigest=sha256_hash --region us-east-2
Amazon Tools for Windows PowerShell

  • Get-ECRImageScanFinding (Amazon Tools for Windows PowerShell)

    The following example uses an image tag.

    Start-ECRImageScan -RepositoryName name -ImageId_ImageTag tag_name -Region us-east-2 -Force

    The following example uses an image digest.

    Start-ECRImageScan -RepositoryName name -ImageId_ImageDigest sha256_hash -Region us-east-2 -Force